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ABSTRACT 



A network traffic monitoring system includes a router, a 
terminal adaptor, a digital service unit, a frame relay/leased 
network, a traffic monitoring apparatus, and a monitor. A 
subscriber line is connected to the router. The terminal 
adaptor interfaces the router to the network side. The digital 
service unit is connected to the terminal adaptor through an 
I interface. The frame relay/leased network is made up of at 
least one of a higher-speed relay router and a switching unit 
and transmission lines. The traffic monitoring apparatus 
monitors the internet traffic on a physical line between the 
terminal adaptor and the digital service unit. The monitor 
controls the traffic monitoring means to start and stop 
totalization processing, sets a subnet mask for determining 
a totalization unit, and acquires traffic information as a 
totalization result from the traffic monitoring apparatus. 

8 Claims, 4 Drawing Sheets 
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NETWORK TRAFFIC MONITORING FIG. 4 is a view showing subnets, each having a plurality 

SYSTEM of IP hosts connected to the user side of a subscriber router; 

and 

BACKGROUND OF THE INVENTION FIG. 5 is a view showing the relationship between col- 

<-pt 4 . , 4 t 4i.ar 5 lected frames and address pair tables in a case wherein IP 

The present invention relates to a network traffic mom- , , , . • . i 

t r . . , addresses are net-masked with net mask values, 
tonng system applied to a wide area network. 

In a conventional traffic monitoring apparatus applied to DESCRIPTION OF THE PREFERRED 

a LAN (Local Area Network), source IP (Internet Protocol) EMBODIMENTS 

addresses and destination IP addresses are read out, and a 10 The present inv ention wiU be described in detail below 

totalization table associated with the traffic transmitted with wilh reference to me accompanying drawings, 

combinations of source and destination IP addresses is schematically shows a network traffic monitoring 

generated, thus performing data collection. For example, ^ {Q ^ embodiment of ^ , inven ! 

such a conventional technique is disclosed ^ Japanese aon A Q ^ wherein stem fa Hed wide afea 

Patent Laid-Open Nos. 5-075621, 6-318944, 8-181711, and 15 wiu he n^rihed ReferrinP to FIG. 1. the traffic 

Q_ IQ1327 ~ * j 

monitoring system includes routers 1 to which subscriber 

When the above conventional scheme is to be applied to lines are connected, terminal adaptors (TAs) 2 for interfac- 

a wide area network (WAN) without any modification, the mg me rou ters 1 to the network side, digital service units 

following problems arise. (DSUs) 3 connected to the TAs 2 through I interfaces, a 

First, in a WAN, an enormous number of combinations of 20 frame relay Aeased network 4 composed of a higher-speed 

source and destination IP addresses will be collected. For relay router, a switching unit, and transmission lines, a traffic 

example, in a WAN including n hosts, the number of monitoring apparatus 5 for monitoring the internet traffic 

combinations of source and destination IP addresses for through branch cables connected to the T points between the 

communication between the IP hosts within a unit collection TAs and the DSUs, and a monitor 6 for controlling the traffic 

time may become n(n-l) in the worst case depending on the 25 monitoring apparatus 5 to start/stop totalization processing, 

network arrangement. The traffic trend in a large-scale WAN setting a subnet mask for determining a totalization unit, and 

cannot be properly analyzed by using IP host communica- acquiring traffic information as the totalization result 

lion information alone. obtained by the traffic monitoring apparatus 5 with a simple 

Second, in a traffic monitoring apparatus, a large memory network management protocol (SNMP) through a LAN 16. 

is required to store combinations of source and destination 30 The traffic monitoring apparatus 5 and the monitor 6 are 

IP addresses, and a long CPU processing time is required to connected to each other through a management interface for 

search the table. In addition, the performance of the monitor exchanging control information and totalization result infor- 

deterio rates as the amounts of data collected and analyzed/ mation. 

displayed increase. ^ FIG. 2 shows the traffic monitoring apparatus 5 in FIG. 1. 

Referring to FIG. 2, the traffic monitoring apparatus 5 is 

SUMMARY OF THE INVENTION made up of a pniralitv 0 f interface sections 7 for monitoring 

It is an object of the present invention to provide a the frame relay/leased network 4 between the TAs and the 

network traffic monitoring system which can collect statistic DSUs and extracting frame data from the physical layer in 

information in units of subnets and totalize/monitor the 40 units of data line layer frames, e.g., Q. 922 frames shown in 

traffic suitable for a WAN. Fia 3 or PPP frames > and an analyzer section 8 for 

. . ... 1 . , « . * analyzing/totalizing data link layer frames from the interface 

In order to achieve the above object according to the ^ ne( * ork ^ 

present invention, there is provided a network traffic mom- ^ rt * . * * L • e , . 

toring system comprising a router to which a subscriber line „ ™ e Q ' 22 a f»nie format consisting of a start 

is connected, a terminal adaptor for interfacing the router to 45 A* " (higher octet and lower octet) an informa- 

a network side, a digital service unit connected to the Uon fleld > an (Frame Check Sequence), and an end flag, 

terminal adaptor through an I interface, a frame relay/leased 45 SD0WD m ■ 

network made up of at least one of a higher-speed relay Each interface section 7 includes an IF (interface) module 

router and a switching unit and transmission lines, a traffic 13 for monitoring the traffic between the T point and the I 

monitoring means for monitoring internet traffic on a physi- 50 interface, and a monitor CPU (Central Processing Unit) 14 

cal line between the terminal adaptor and the digital service for controlling the monitoring operation of the IF module 

unit, and monitor means for controlling the traffic monitor- and outputting the monitoring result to the analyzer section 

ing means to start and stop totalization processing, setting a 8 * ^ monitor CPU 14 has a DPM (Dual Port Memory), 

subnet mask for determining a totalization unit, and acquir- Th e analyzer section 8 includes a data totalizing section 9 

ing traffic information as a totalization result from the traffic 55 for totalizing source and destination IP addresses in units of 

monitoring means. IP address pairs and totalizing statistic information between 

subnet address pairs of source and destination subnet 

BRIEF DESCRIPTION OF THE DRAWINGS addresses, a shared memory section 10 for storing the 

totalization result from the data totalizing section 9, an 

FIG. 1 is a block diagram showing the schematic arrange- fiQ SNMp agcnt section n for p er f onrjmg contr ol based on the 

ment of a network traffic monitoring system applied to a mon itor 6 and transmitting the totalization result, and a 

wide area network (WAN) according to an embodiment of device driver 12 for driving the data totalizing section 9. The 

the present invention; dala totalizing section 9 has a counter (not shown) for 

FIG. 2 is a block diagram showing a traffic monitoring counting in units of PVCs (Permanent Virtual Calls), 

apparatus in FIG. 1; 65 Th e traffic monitoring apparatus 5 can also be designed to 

FIG. 3 is a view showing an example of a data link layer monitor the traffic of a plurality of physical lines in two 

frame; directions. 
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The operation of the above traffic monitoring system will 
be sequentially described next. In the traffic monitoring 
system of the present invention, a unit of data to be gathered 
can be set when the data of IP address pairs of source and 
destination IP addresses are to be collected. 

1. When the monitor 6 is to request the traffic monitoring 
apparatus 5 to start data collection, the monitor 6 sets the 
mask bits of IP addresses to acquire the traffic volume 
between subnets. 

In this case, the masks of IP addresses can be set in units 
of (255.255.255.0), (255.255.0.0), (255.0.0.0), or the like or 
mask bits can be set in units of bits. 

2. Upon reception of a mask value, the traffic monitoring 
apparatus 5 stores it in the analyzer section 8 in FIG. 2, and 
starts collecting traffic data, through the interface section 7. 

3. The traffic monitoring apparatus 5 monitors physical 
layer frames flowing on a frame relay/leased network 
through the interface section 7, and extracts data in units of 
data link layer frames (the Q. 922 frame shown in FIG. 3 for 
the frame relay; and the PPP frame for the leased network, 
in particular) from a start/end flag position. The traffic 
monitoring apparatus 5 then transfers the data from the 
interface section 7 to the analyzer section 8. 

4. The analyzer section 8 analyzes each transferred data 25 in units of subnets, instead of statistic information between 
link layer frame, and analyzes the internet traffic on the layer points, by setting a data totalization unit in collecting 
3/4/application level on the basis of the value of the infor- source/destination IP address pair data. This allows execu- 
mation field. tion of internet traffic trend analysis in a large-scale WAN. 

More specifically, if the frame corresponds to the frame In addition, statistic information can be collected in units 
relay line, the network layer protocol of the Q. 922 frame on 30 of subnets, instead of statistic information between points, 



20 



with IP address "A.A.A.C" and IP address "B.B.B.D", as 
shown in FIG. 4. 

For example, FIG. 5 shows the relationship between 
collected frames and address pair tables in a case wherein 
the subnet address portions of the IP addresses are net- 
masked with the subnet mask value "255.255. 255.0". 

When the subnet address portions of the source/ 
destination IP address pairs in the collected IP datagrams (IP 
heads and IP data) are net-masked, n address pairs of 
"A.A.A.A" and "B.B.B.B" and m address pairs of 
"A.A.A.C" and "B.B.B.D" are totalized (n+m) as combina- 
tions of "A.A.A.0" and "B.B.B.0" in single source/ 
destination subnet address pair table 1, In this case, a 
combination of source address "C.C.C.C" and destination 
address "B.B.B.D" is totalized in source/destination subnet 
address pair table 2, 

In addition, detailed traffic analysis can be performed by 
also measuring the traffic between source and destination IP 
addresses, as needed. 

As has been described above, the present invention has 
the following effects. 

In the network traffic monitoring system of the present 
invention, traffic information can be collected and totalized 



the data link layer is identified on the basis of the identifier 
(DLCI) of the PVC and the value (NLPID or the like) of the 
information field. If the frame is IP data, the source and 
destination IP addresses are read from the header informa- 
tion. 

5. If no subnet mask is set, totalization tables are gener- 
ated in units of combinations of source and destination IP 
addresses, and statistic information about IP address pairs of 
source and destination IP addresses are collected. 

In this case, for example, the contents of each totalization 
table include transmission directions, PVC identifiers 
(DLCIs), protocol types, source and destination IP 
addresses, collection start times, the number of octets, the 
number of packets, and the like. 

6. If a subnet mask is set, traffic data are totalized in units 
of subnets by net-masking source and destination IP 
addresses, and the totalization results are formed into a 
totalization table. That is, the source and destination subnet 
addresses are collected and totalized by ANDing the set 
subnet mask and the source and destination IP addresses of 
IP headers. 

7. The totalization table is temporarily stored in the shared 
memory section 10 of the traffic monitoring apparatus 5. The 
SNMP agent section 11 transmits the totalization data to the 
monitor 6. 

8. The monitor 6 analyzes and displays the traffic statistic 
information about the subnets. 

With the above operation, the statistic information 
between subnets can be collected as well as the statistic 
information between points. 

Totalization processing to be performed in units of sub- 
nets will be described next with reference to FIGS. 4 and 5. 

Assume that a subnets 18 has a plurality of IP hosts 19 
connected to the user side of the subscriber router, and 
communication data is sent between hosts with IP address 
"A.A.A.A" and IP address "B.B.B.B" and between hosts 
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by net-masking source and destination IP addresses in 
totalizing IP packets. This makes it possible to totalize/ 
monitor traffic in accordance with a WAN. 

Furthermore, the memory capacities required for both the 
traffic monitoring apparatus and the monitor can be reduced, 
and their performance can be improved. 
What is claimed is: 

1. A network traffic monitoring system comprising: 
a router to which a subscriber line is connected; 

a terminal adaptor for interfacing said router to a network 
side; 

a digital service unit connected to said terminal adaptor 

through an I interface; 
a frame relay/leased network made up of at least one of a 

higher-speed relay router and a switching unit and 

transmission lines; 
a traffic monitoring means for monitoring internet traffic 

on a physical line between said terminal adaptor and 

said digital service unit; and 
monitor means for controlling said traffic monitoring 

means to start and stop totalization processing, setting 

a subnet mask for determining a totalization unit, and 

acquiring traffic information as a totalization result 

from said traffic monitoring means. 

2. A system according to claim 1, wherein said traffic 
monitoring means is connected to a predetermined point 
between said terminal adaptor and said digital service unit 
through a branch cable. 

3. A system according to claim 1, wherein said monitor 
means acquires the traffic information as the totalization 
result from said traffic monitoring means with a simple 
network monitoring protocol (SNMP). 

4. A system according to claim 1, wherein said traffic 
monitoring means and said monitor means are connected to 
each other through a management interface for exchanging 
control information and totalization result information. 
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5. A system according to claim 1, wherein said traffic 
monitoring means monitors internet traffic on a plurality of 
physical lines between said terminal adaptor and said digital 
service unit in two directions. 

6. A system according to claim 1, wherein said traffic 
monitoring means comprises: 

interface means for monitoring said frame relay/leased 
network between said terminal adaptor and said digital 
service unit, and extracting frame data from a physical 
layer in units of data link layer frames on the basis of 
a monitoring result; and 

analyzer means for analyzing and totalizing a data link 
layer frames output from said interface means into 
network layer frames. 

7. A system according to claim 1, wherein said analyzer 
means comprises: 

data totalizing means for totalizing IP address pairs of 
source and destination IP addresses of IP (internet 
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protocol) headers, and totalizing statistic information 
between subnet address pairs of source and destination 
subnet addresses upon subnet mask setting; 
memory means for storing a totalization result from said 

data totalizing means; and 
SNMP agent means for performing control based on said 
monitor means and transmitting the totalization result 
stored in said memory means. 
8. A system according to claim 7, wherein said data 
totalizing means reads out source and destination IP 
addresses of an IP header, and ANDs the subnet mask set by 
said monitor means and the source and destination IP 
addresses of the IP header, thereby acquiring source and 
destination subnet addresses. 
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